Table Of Contents

Glossary

Authentication, authorization, and accounting. See also
TACACS+ and
RADIUS.

ABR

Area Border Router. In
OSPF, a router with interfaces in multiple areas.

ACE

Access Control Entry. Information entered into the configuration that lets you specify what type of traffic to permit or deny on an
interface. By default, traffic that is not explicitly permitted is denied.

Access Control List. A collection of
ACEs. An ACL lets you specify what type of traffic to allow on an interface. By default, traffic that is not explicitly permitted is denied. ACLs are usually applied to the
interface which is the source of inbound traffic. See also
rule,
outbound ACL.

ActiveX

A set of object-oriented programming technologies and tools used to create mobile or portable programs. An ActiveX program is roughly equivalent to a Java applet.

Advanced Encryption Standard. A symmetric block cipher that can encrypt and decrypt information. The AES algorithm is capable of using cryptographic keys of 128, 192 and 256 bits to encrypt and decrypt data in blocks of 128 bits. See also
DES.

AH

Authentication Header. An IP protocol (type 51) that can ensure data integrity, authentication, and replay detection. AH is embedded in the data to be protected (a full IP datagram, for example). AH can be used either by itself or with
ESP. This is an older
IPSec protocol that is less important in most networks than
ESP. AH provides authentication services but does not provide encryption services. It is provided to ensure compatibility with
IPSec peers that do not support
ESP, which provides both
authentication and
encryption. See also
encryption and
VPN. Refer to the RFC 2402.

A record address

"A" stands for address, and refers to name-to-address mapped records in
DNS.

ARP

Address Resolution Protocol. A low-level TCP/IP protocol that maps a hardware address, or MAC address, to an IP address. An example hardware address is 00:00:a6:00:01:ba. The first three groups of characters (00:00:a6) identify the manufacturer; the rest of the characters (00:01:ba) identify the system card. ARP is defined in RFC 826.

ASA

Adaptive Security Algorithm. Used by the security appliance to perform inspections. ASA allows one-way (inside to outside) connections without an explicit configuration for each internal system and application. See also
inspection engine.

ASA

adaptive security appliance.

ASDM

Adaptive Security Device Manager. An application for managing and configuring a single security appliance.

asymmetric encryption

Also called public key systems, asymmetric encryption allows anyone to obtain access to the public key of anyone else. Once the public key is accessed, one can send an encrypted message to that person using the public key. See also
encryption,
public key.

authentication

Cryptographic protocols and services that verify the identity of users and the integrity of data. One of the functions of the
IPSec framework. Authentication establishes the integrity of datastream and ensures that it is not tampered with in transit. It also provides confirmation about the origin of the datastream. See also
AAA,
encryption, and
VPN.

B

BGP

Border Gateway Protocol. BGP performs interdomain routing in TCP/IP networks. BGP is an Exterior Gateway Protocol, which means that it performs routing between multiple autonomous systems or domains and exchanges routing and access information with other BGP systems. The security appliance does not support BGP. See also
EGP.

Bootstrap Protocol. Lets diskless workstations boot over the network as is described in RFC 951 and RFC 1542.

BPDU

Bridge Protocol Data Unit. Spanning-Tree Protocol hello packet that is sent out at configurable intervals to exchange information among bridges in the network. Protocol data unit is the OSI term for packet.

C

CA

Certificate Authority, Certification Authority. A third-party entity that is responsible for issuing and revoking certificates. Each device with the public key of the CA can authenticate a device that has a certificate issued by the CA. The term CA also refers to software that provides CA services. See also
certificate,
CRL,
public key,
RA.

cache

A temporary repository of information accumulated from previous task executions that can be reused, decreasing the time required to perform the tasks.

CBC

Cipher Block Chaining. A cryptographic technique that increases the encryption strength of an algorithm. CBC requires an initialization vector (IV) to start encryption. The IV is explicitly given in the
IPSec packet.

certificate

A signed cryptographic object that contains the identity of a user or device and the public key of the
CA that issued the certificate. Certificates have an expiration date and may also be placed on a
CRL if known to be compromised. Certificates also establish non-repudiation for
IKE negotiation, which means that you can prove to a third party that
IKE negotiation was completed with a specific peer.

CHAP

Challenge Handshake Authentication Protocol.

CLI

command line interface. The primary interface for entering configuration and monitoring commands to the security appliance.

client/server computing

Distributed computing (processing) network systems in which transaction responsibilities are divided into two parts: client (front end) and server (back end). Also called distributed computing. See also
RPC.

A file on the security appliance that represents the equivalent of settings, preferences, and properties administered by
ASDM or the
CLI.

cookie

A cookie is a object stored by a browser. Cookies contain information, such as user preferences, to persistent storage.

CPU

Central Processing Unit. Main processor.

CRC

Cyclical Redundancy Check. Error-checking technique in which the frame recipient calculates a remainder by dividing frame contents by a prime binary divisor and compares the calculated remainder to a value stored in the frame by the sending node.

CRL

Certificate Revocation List. A digitally signed message that lists all of the current but revoked certificates listed by a given
CA. This is analogous to a book of stolen charge card numbers that allow stores to reject bad credit cards. When certificates are revoked, they are added to a CRL. When you implement authentication using certificates, you can choose to use CRLs or not. Using CRLs lets you easily revoke certificates before they expire, but the CRL is generally only maintained by the
CA or an
RA. If you are using CRLs and the connection to the
CA or
RA is not available when authentication is requested, the authentication request will fail. See also
CA,
certificate,
public key,
RA.

CRV

Call Reference Value. Used by
H.225.0 to distinguish call legs signalled between two entities.

cryptography

Encryption, authentication, integrity, keys and other services used for secure communication over networks. See also
VPN and
IPSec.

crypto map

A data structure with a unique name and sequence number that is used for configuring VPNs on the security appliance. A crypto map selects data flows that need security processing and defines the policy for these flows and the crypto peer that traffic needs to go to. A crypto map is applied to an interface. Crypto maps contain the
ACLs, encryption standards, peers, and other parameters necessary to specify security policies for
VPNs using
IKE and
IPSec. See also
VPN.

CTIQBE

Computer Telephony Interface Quick Buffer Encoding. A protocol used in IP telephony between the Cisco CallManager and CTI
TAPI and
JTAPI applications. CTIQBE is used by the TAPI/JTAPI protocol inspection module and supports
NAT,
PAT, and bi-directional
NAT. This enables Cisco IP SoftPhone and other Cisco TAPI/JTAPI applications to communicate with Cisco CallManager for call setup and voice traffic across the security appliance.

cut-through proxy

Enables the security appliance to provide faster traffic flow after user authentication. The cut-through proxy challenges a user initially at the application layer. After the security appliance authenticates the user, it shifts the session flow and all traffic flows directly and quickly between the source and destination while maintaining session state information.

D

data confidentiality

Describes any method that manipulates data so that no attacker can read it. This is commonly achieved by data encryption and
keys that are only available to the parties involved in the communication.

data integrity

Describes mechanisms that, through the use of encryption based on
secret key or
public key algorithms, allow the recipient of a piece of protected data to verify that the data has not been modified in transit.

data origin authentication

A security service where the receiver can verify that protected data could have originated only from the sender. This service requires a data integrity service plus a
key distribution mechanism, where a
secret key is shared only between the sender and receiver.

decryption

Application of a specific algorithm or cipher to encrypted data so as to render the data comprehensible to those who are authorized to see the information. See also
encryption.

DES

Data encryption standard. DES was published in 1977 by the National Bureau of Standards and is a secret key encryption scheme based on the Lucifer algorithm from IBM. Cisco uses DES in classic crypto (40-bit and 56-bit key lengths),
IPSec crypto (56-bit key), and 3DES (triple DES), which performs encryption three times using a 56-bit key. 3DES is more secure than DES but requires more processing for encryption and decryption. See also
AES,
ESP.

DHCP

Dynamic Host Configuration Protocol. Provides a mechanism for allocating IP addresses to hosts dynamically, so that addresses can be reused when hosts no longer need them and so that mobile computers, such as laptops, receive an IP address applicable to the
LAN to which it is connected.

Diffie-Hellman

A public key cryptography protocol that allows two parties to establish a shared secret over insecure communications channels. Diffie-Hellman is used within
IKE to establish session keys. Diffie-Hellman is a component of
Oakley key exchange.

Diffie-Hellman Group 1, Group 2, Group 5, Group 7

Diffie-Hellman refers to a type of public key cryptography using asymmetric encryption based on large prime numbers to establish both Phase 1 and Phase 2
SAs. Group 1 provides a smaller prime number than Group 2 but may be the only version supported by some
IPSec peers. Diffe-Hellman Group 5 uses a 1536-bit prime number, is the most secure, and is recommended for use with
AES. Group 7 has an elliptical curve field size of 163 bits and is for use with the Movian VPN client, but works with any peer that supports Group 7 (ECC). See also
VPN and
encryption.

Distinguished Name. Global, authoritative name of an entry in the OSI Directory (X.500).

DNS

Domain Name System (or Service). An Internet service that translates domain names into IP addresses.

DoS

Denial of Service. A type of network attack in which the goal is to render a network service unavailable.

DSL

digital subscriber line. Public network technology that delivers high bandwidth over conventional copper wiring at limited distances. DSL is provisioned via modem pairs, with one modem located at a central office and the other at the customer site. Because most DSL technologies do not use the whole bandwidth of the twisted pair, there is room remaining for a voice channel.

DSP

digital signal processor. A DSP segments a voice signal into frames and stores them in voice packets.

DSS

Digital Signature Standard. A digital signature algorithm designed by The US National Institute of Standards and Technology and based on public-key cryptography. DSS does not do user datagram encryption. DSS is a component in classic crypto, as well as the Redcreek
IPSec card, but not in
IPSec implemented in Cisco IOS software.

Exterior Gateway Protocol. Replaced by BGP. The security appliance does not support EGP. See also
BGP.

EIGRP

Enhanced Interior Gateway Routing Protocol. The security appliance does not support EIGRP.

EMBLEM

Enterprise Management BaseLine Embedded Manageability. A syslog format designed to be consistent with the Cisco IOS system log format and is more compatible with CiscoWorks management applications.

encryption

Application of a specific algorithm or cipher to data so as to render the data incomprehensible to those unauthorized to see the information. See also
decryption.

ESMTP

Extended
SMTP. Extended version of
SMTP that includes additional functionality, such as delivery notification and session delivery. ESMTP is described in RFC 1869, SMTP Service Extensions.

ESP

Encapsulating Security Payload. An
IPSec protocol, ESP provides authentication and encryption services for establishing a secure tunnel over an insecure network. For more information, refer to RFCs 2406 and 1827.

F

failover, failover mode

Failover lets you configure two security appliances so that one will take over operation if the other one fails. The security appliance supports two failover configurations, Active/Active failover and Active/Standby failover. Each failover configuration has its own method for determining and performing failover. With Active/Active failover, both units can pass network traffic. This lets you configure load balancing on your network. Active/Active failover is only available on units running in multiple context mode. With Active/Standby failover, only one unit passes traffic while the other unit waits in a standby state. Active/Standby failover is available on units running in either single or multiple context mode.

Greenwich Mean Time. Replaced by UTC (Coordinated Universal Time) in 1967 as the world time standard.

GPRS

general packet radio service. A service defined and standardized by the European Telecommunication Standards Institute. GPRS is an IP-packet-based extension of
GSM networks and provides mobile, wireless, data communications

GRE

Generic Routing Encapsulation described in RFCs 1701 and 1702. GRE is a tunneling protocol that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to routers at remote points over an IP network. By connecting multiprotocol subnetworks in a single-protocol backbone environment, IP tunneling using GRE allows network expansion across a single protocol backbone environment.

GSM

Global System for Mobile Communication. A digital, mobile, radio standard developed for mobile, wireless, voice communications.

GTP

GPRS tunneling protocol. GTP handles the flow of user packet data and signaling information between the
SGSN and
GGSN in a
GPRS network. GTP is defined on both the Gn and Gp interfaces of a
GPRS network.

H

H.225

A protocol used for TCP signalling in applications such as video conferencing. See also
H.323 and
inspection engine.

H.225.0

An ITU standard that governs H.225.0 session establishment and packetization. H.225.0 actually describes several different protocols: RAS, use of Q.931, and use of
RTP.

H.245

An ITU standard that governs H.245 endpoint control.

H.320

Suite of ITU-T standard specifications for video conferencing over circuit-switched media, such as ISDN, fractional T-1, and switched-56 lines. Extensions of ITU-T standard H.320 enable video conferencing over LANs and other packet-switched networks, as well as video over the
Internet.

H.323

Allows dissimilar communication devices to communicate with each other by using a standardized communication protocol. H.323 defines a common set of CODECs, call setup and negotiating procedures, and basic data transport methods.

A hash algorithm is a one way function that operates on a message of arbitrary length to create a fixed-length message digest used by cryptographic services to ensure its data integrity. MD5 has a smaller digest and is considered to be slightly faster than
SHA-1. Cisco uses both
SHA-1 and
MD5 hashes within our implementation of the
IPSec framework. See also
encryption,
HMAC, and
VPN.

headend

A firewall, concentrator, or other host that serves as the entry point into a private network for
VPN client connections over the public network. See also
ISP and
VPN.

HMAC

A mechanism for message authentication using cryptographic hashes such as
SHA-1 and
MD5.

host

The name for any device on a TCP/IP network that has an IP address. See also
network and
node.

host/network

An IP address and netmask used with other information to identify a single host or network subnet for security appliance configuration, such as an address translation (
xlate) or
ACE.

HTTP

Hypertext Transfer Protocol. A protocol used by browsers and web servers to transfer files. When a user views a web page, the browser can use HTTP to request and receive the files used by the web page. HTTP transmissions are not encrypted.

Internet Group Management Protocol. IGMP is a protocol used by IPv4 systems to report IP
multicast memberships to neighboring multicast routers.

IKE

Internet Key Exchange. IKE establishes a shared security policy and authenticates keys for services (such as
IPSec) that require keys. Before any
IPSec traffic can be passed, each security appliance must verify the identity of its peer. This can be done by manually entering preshared keys into both hosts or by a
CA service. IKE is a hybrid protocol that uses part
Oakley and part of another protocol suite called
SKEME inside
ISAKMP framework. This is the protocol formerly known as ISAKMP/Oakley, and is defined in RFC 2409.

IKE Extended Authentication

IKE Extended Authenticate (Xauth) is implemented per the IETF draft-ietf-ipsec-isakmp-xauth-04.txt ("extended authentication" draft). This protocol provides the capability of authenticating a user within IKE using
TACACS+ or
RADIUS.

IKE Mode Configuration

IKE Mode Configuration is implemented per the IETF draft-ietf-ipsec-isakmp-mode-cfg-04.txt. IKE Mode Configuration provides a method for a security gateway to download an IP address (and other network level configuration) to the VPN client as part of an IKE negotiation.

ILS

Internet Locator Service. ILS is based on LDAP and is ILSv2 compliant. ILS was developed by Microsoft for use with its NetMeeting, SiteServer, and Active Directory products.

IMAP

Internet Message Access Protocol. Method of accessing e-mail or bulletin board messages kept on a mail server that can be shared. IMAP permits client e-mail applications to access remote message stores as if they were local without actually transferring the message.

implicit rule

An access rule automatically created by the security appliance based on default rules or as a result of user-defined rules.

IMSI

International Mobile Subscriber Identity. One of two components of a
GTP tunnel ID, the other being the
NSAPI. See also
NSAPI.

inside

The first interface, usually port 1, that connects your internal, "trusted" network protected by the security appliance. See also
interface,
interface names.

inspection engine

The security appliance inspects certain application-level protocols to identify the location of embedded addressing information in traffic. This allows
NAT to translate these embedded addresses and to update any checksum or other fields that are affected by the translation. Because many protocols open secondary
TCP or
UDP ports, each application inspection engine also monitors sessions to determine the port numbers for secondary channels. The initial session on a well-known port is used to negotiate dynamically assigned port numbers. The application inspection engine monitors these sessions, identifies the dynamic port assignments, and permits data exchange on these ports for the duration of the specific session. Some of the protocols that the security appliance can inspect are
CTIQBE,
FTP,
H.323,
HTTP,
MGCP,
SMTP, and
SNMP.

interface

The physical connection between a particular network and a security appliance.

interface ip_address

The IP address of a security appliance network interface. Each interface IP address must be unique. Two or more interfaces must not be given the same IP address or IP addresses that are on the same IP network.

interface names

Human readable name assigned to a security appliance network interface. The inside interface default name is "inside" and the outside interface default name is "outside." Any perimeter interface default names are "intf
n", such as intf2 for the first perimeter interface, intf3 for the second perimeter interface, and so on to the last interface. The numbers in the intf string corresponds to the position of the interface card in the security appliance. You can use the default names or, if you are an experienced user, give each interface a more meaningful name. See also
inside,
intfn,
outside.

intfn

Any interface, usually beginning with port 2, that connects to a subset network of your design that you can custom name and configure.

Internet Protocol. IP protocols are the most popular nonproprietary protocols because they can be used to communicate across any set of interconnected networks and are equally well suited for
LAN and
WAN communications.

An IP protocol address. A security appliance interface ip_address. IP version 4 addresses are 32 bits in length. This address space is used to designate the network number, optional subnetwork number, and a host number. The 32 bits are grouped into four octets (8 binary bits), represented by 4 decimal numbers separated by periods, or dots. The meaning of each of the four octets is determined by their use in a particular network.

IP pool

A range of local IP addresses specified by a name, and a range with a starting IP address and an ending address. IP Pools are used by
DHCP and
VPNs to assign local IP addresses to clients on the inside interface.

IPSec

IP Security. A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer. IPSec uses
IKE to handle the negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPSec. IPSec can protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.

IPSec Phase 1

The first phase of negotiating
IPSec, includes the key exchange and the
ISAKMP portions of
IPSec.

IPSec Phase 2

The second phase of negotiating
IPSec. Phase two determines the type of encryption rules used for payload, the source and destination that will be used for encryption, the definition of interesting traffic according to access lists, and the
IPSec peer.
IPSec is applied to the interface in Phase 2.

IPSec transform set

A transform set specifies the
IPSec protocol, encryption algorithm, and hash algorithm to use on traffic matching the
IPSec policy. A transform describes a security protocol (
AH or
ESP) with its corresponding algorithms. The
IPSec protocol used in almost all transform sets is
ESP with the
DES algorithm and HMAC-SHA for authentication.

ISAKMP

Internet Security Association and Key Management Protocol. A protocol framework that defines payload formats, the mechanics of implementing a key exchange protocol, and the negotiation of a security association. See
IKE.

ISP

Internet Service Provider. An organization that provides connection to the
Internet via their services, such as modem dial in over telephone voice lines or
DSL.

Local area network. A network residing in one location, such as a single building or campus. See also
Internet,
intranet, and
network.

layer, layers

Networking models implement layers with which different protocols are associated. The most common networking model is the OSI model, which consists of the following 7 layers, in order: physical, data link, network, transport, session, presentation, and application.

A 32-bit mask that shows how an
Internet address is divided into network, subnet, and host parts. The mask has ones in the bit positions to be used for the network and subnet parts, and zeros for the host part. The mask should contain at least the standard network portion, and the subnet field should be contiguous with the network portion.

Multicast (MC) routers route multicast data transmissions to the hosts on each LAN in an internetwork that are registered to receive specific multimedia or other broadcasts. See also
multicast.

MD5

Message Digest 5. A one-way hashing algorithm that produces a 128-bit hash. Both MD5 and
SHA-1 are variations on MD4 and are designed to strengthen the security of the MD4 hashing algorithm.
SHA-1 is more secure than MD4 and MD5. Cisco uses hashes for authentication within the
IPSec framework. Also used for message authentication in SNMP v.2. MD5 verifies the integrity of the communication, authenticates the origin, and checks for timeliness.
MD5 has a smaller digest and is considered to be slightly faster than
SHA-1.

MDI

Media dependent interface.

MDIX

Media dependent interface crossover.

Message Digest

A message digest is created by a hash algorithm, such as
MD5 or
SHA-1, that is used for ensuring message integrity.

MGCP

Media Gateway Control Protocol. Media Gateway Control Protocol is a protocol for the control of VoIP calls by external call-control elements known as media gateway controllers or call agents. MGCP merges the IPDC and
SGCP protocols.

Modular Policy Framework. A means of configuring security appliance features in a manner to similar to Cisco IOS software Modular
QoS CLI.

MS

mobile station. Refers generically to any mobile device, such as a mobile handset or computer, that is used to access network services.
GPRS networks support three classes of MS, which describe the type of operation supported within the
GPRS and the
GSM mobile wireless networks. For example, a Class A MS supports simultaneous operation of
GPRS and
GSM services.

Maximum transmission unit, the maximum number of bytes in a packet that can flow efficiently across the network with best response time. For Ethernet, the default MTU is 1500 bytes, but each network can have different values, with serial connections having the smallest values. The MTU is described in RFC 1191.

multicast

Multicast refers to a network addressing method in which the source transmits a packet to multiple destinations, a multicast group, simultaneously. See also
PIM,
SMR.

N

N2H2

A third-party, policy-oriented filtering application that works with the security appliance to control user web access. N2H2 can filter
HTTP requests based on destination host name, destination IP address, and username and password. The N2H2 corporation was acquired by Secure Computing in October, 2003.

NAT

Network Address Translation. Mechanism for reducing the need for globally unique IP addresses. NAT allows an organization with addresses that are not globally unique to connect to the
Internet by translating those addresses into a globally routable address space.

In the context of security appliance configuration, a network is a group of computing devices that share part of an IP address space and not a single host. A network consists of multiple nodes or hosts. See also
host,
Internet,
intranet,
IP,
LAN, and
node.

NMS

network management system. System responsible for managing at least part of a network. An NMS is generally a reasonably powerful and well-equipped computer, such as an engineering workstation. NMSs communicate with agents to help keep track of network statistics and resources.

node

Devices such as routers and printers that would not normally be called hosts. See also
host,
network.

Network service access point identifier. One of two components of a
GTP tunnel ID, the other component being the
IMSI. See also
IMSI.

NSSA

Not-so-stubby-area. An OSPF feature described by RFC 1587. NSSA was first introduced in Cisco IOS software release 11.2. It is a non-proprietary extension of the existing stub area feature that allows the injection of external routes in a limited fashion into the stub area.

A key exchange protocol that defines how to acquire authenticated keying material. The basic mechanism for Oakley is the
Diffie-Hellman key exchange algorithm. Oakley is defined in RFC 2412.

object grouping

Simplifies access control by letting you apply access control statements to groups of network objects, such as protocol, services, hosts, and networks.

OSPF

Open Shortest Path First. OSPF is a routing protocol for IP networks. OSPF is a routing protocol widely deployed in large networks because of its efficient use of network bandwidth and its rapid convergence after changes in topology. The security appliance supports OSPF.

OU

Organizational Unit. An X.500 directory attribute.

outbound

Refers to traffic whose destination is on an interface with lower security than the source interface.

PPTP Access Concentrator. A device attached to one or more PSTN or ISDN lines capable of
PPP operation and of handling the
PPTP protocol. The PAC need only implement TCP/IP to pass traffic to one or more
PNSs. It may also tunnel non-IP protocols.

The security appliance feature that gathers and reports a wide variety of feature statistics, such as connections/second, xlates/second, etc.

PFS

Perfect Forwarding Secrecy. PFS enhances security by using different security key for the
IPSec Phase 1 and Phase 2
SAs. Without PFS, the same security key is used to establish
SAs in both phases. PFS ensures that a given
IPSecSA key was not derived from any other secret (like some other keys). In other words, if someone were to break a key, PFS ensures that the attacker would not be able to derive any other key. If PFS were not enabled, someone could hypothetically break the
IKESA secret key, copy all the
IPSec protected data, and then use knowledge of the
IKESA secret to compromise the
IPSecSA setup by this
IKESA. With PFS, breaking
IKE would not give an attacker immediate access to
IPSec. The attacker would have to break each
IPSecSA individually.

Protocol Independent Multicast. PIM provides a scalable method for determining the best paths for distributing a specific multicast transmission to a group of hosts. Each host has registered using IGMP to receive the transmission. See also
PIM-SM.

PIM-SM

Protocol Independent Multicast-Sparse Mode. With PIM-SM, which is the default for Cisco routers, when the source of a multicast transmission begins broadcasting, the traffic is forwarded from one MC router to the next, until the packets reach every registered host. See also
PIM.

Ping

An
ICMP request sent by a host to determine if a second host is accessible.

A standard for the transfer of PKI-related data, such as private keys, certificates, and other data. Devices supporting this standard let administrators maintain a single set of personal identity information.

PNS

PPTP Network Server. A PNS is envisioned to operate on general-purpose computing/server platforms. The PNS handles the server side of
PPTP. Because
PPTP relies completely on TCP/IP and is independent of the interface hardware, the PNS may use any combination of IP interface hardware including
LAN and
WAN devices.

Policy NAT

Lets you identify local traffic for address translation by specifying the source and destination addresses (or ports) in an access list.

POP

Post Office Protocol. Protocol that client e-mail applications use to retrieve mail from a mail server.

A field in the packet headers of
TCP and
UDP protocols that identifies the higher level service which is the source or destination of the packet.

PPP

Point-to-Point Protocol. Developed for dial-up
ISP access using analog phone lines and modems.

PPTP

Point-to-Point Tunneling Protocol. PPTP was introduced by Microsoft to provide secure remote access to Windows networks; however, because it is vulnerable to attack, PPTP is commonly used only when stronger security methods are not available or are not required. PPTP Ports are pptp, 1723/tcp, 1723/udp, and pptp. For more information about PPTP, see RFC 2637. See also
PAC,
PPTP GRE,
PPTP GRE tunnel,
PNS,
PPTP session, and
PPTP TCP.

PPTP GRE

Version 1 of GRE for encapsulating PPP traffic.

PPTP GRE tunnel

A tunnel defined by a
PNS-
PAC pair. The tunnel protocol is defined by a modified version of
GRE. The tunnel carries
PPP datagrams between the
PAC and the
PNS. Many sessions are multiplexed on a single tunnel. A control connection operating over
TCP controls the establishment, release, and maintenance of sessions and of the tunnel itself.

PPTP session

PPTP is connection-oriented. The
PNS and
PAC maintain state for each user that is attached to a
PAC. A session is created when end-to-end
PPP connection is attempted between a dial user and the
PNS. The datagrams related to a session are sent over the tunnel between the
PAC and
PNS.

PPTP TCP

Standard
TCP session over which
PPTP call control and management information is passed. The control session is logically associated with, but separate from, the sessions being tunneled through a
PPTP tunnel.

preshared key

A preshared key provides a method of
IKE authentication that is suitable for networks with a limited, static number of
IPSec peers. This method is limited in scalability because the key must be configured for each pair of
IPSec peers. When a new
IPSec peer is added to the network, the preshared key must be configured for every
IPSec peer with which it communicates. Using
certificates and
CAs provides a more scalable method of
IKE authentication.

primary, primary unit

The security appliance normally operating when two units, a primary and secondary, are operating in failover mode.

A standard that defines the exchange of packets between network nodes for communication. Protocols work together in layers. Protocols are specified in a security appliance configuration as part of defining a security policy by their literal values or port numbers. Possible security appliance protocol literal values are ahp, eigrp, esp, gre, icmp, igmp, igrp, ip, ipinip, ipsec, nos, ospf, pcp, snp, tcp, and udp.

Proxy-ARP

Enables the security appliance to reply to an
ARP request for IP addresses in the global pool. See also
ARP.

public key

A public key is one of a pair of keys that are generated by devices involved in public key infrastructure. Data encrypted with a public key can only be decrypted using the associated private key. When a private key is used to produce a digital signature, the receiver can use the public key of the sender to verify that the message was signed by the sender. These characteristics of key pairs provide a scalable and secure method of authentication over an insecure media, such as the
Internet.

Q

QoS

quality of service. Measure of performance for a transmission system that reflects its transmission quality and service availability.

R

RA

Registration Authority. An authorized proxy for a
CA. RAs can perform certificate enrollment and can issue
CRLs. See also
CA,
certificate,
public key.

RADIUS

Remote Authentication Dial-In User Service. RADIUS is a distributed client/server system that secures networks against unauthorized access. RFC 2058 and RFC 2059 define the RADIUS protocol standard. See also
AAA and
TACACS+.

Refresh

Retrieve the running configuration from the security appliance and update the screen. The icon and the button perform the same function.

A security service where the receiver can reject old or duplicate packets to defeat replay attacks. Replay attacks rely on the attacker sending out older or duplicate packets to the receiver and the receiver thinking that the bogus traffic is legitimate. Replay-detection is done by using sequence numbers combined with authentication, and is a standard feature of
IPSec.

RFC

Request for Comments. RFC documents define protocols and standards for communications over the
Internet. RFCs are developed and published by
IETF.

Reserved Link Local Address. Multicast addresses range from 224.0.0.0 to 239.255.255.255, however only the range 224.0.1.0 to 239.255.255.255 is available to us. The first part of the multicast address range, 224.0.0.0 to 224.0.0.255, is reserved and referred to as the RLLA. These addresses are unavailable. We can exclude the RLLA range by specifying: 224.0.1.0 to 239.255.255.255. 224.0.0.0 to 239.255.255.255 excluding 224.0.0.0 to 224.0.0.255. This is the same as specifying: 224.0.1.0 to 239.255.255.255.

In routed firewall mode, the security appliance is counted as a router hop in the network. It performs
NAT between connected networks and can use
OSPF or
RIP. See also
transparent firewall mode.

RPC

Remote Procedure Call. RPCs are procedure calls that are built or specified by clients and executed on servers, with the results returned over the network to the clients.

RSA

A
public key cryptographic algorithm (named after its inventors, Rivest, Shamir, and Adelman) with a variable key length. The main weakness of RSA is that it is significantly slow to compute compared to popular secret-key algorithms, such as
DES. The Cisco implementation of
IKE uses a
Diffie-Hellman exchange to get the secret keys. This exchange can be authenticated with RSA (or preshared keys). With the
Diffie-Hellman exchange, the
DES key never crosses the network (not even in encrypted form), which is not the case with the RSA encrypt and sign technique. RSA is not public domain, and must be licensed from RSA Data Security.

RSH

Remote Shell. A protocol that allows a user to execute commands on a remote system without having to log in to the system. For example, RSH can be used to remotely examine the status of a number of access servers without connecting to each communication server, executing the command, and then disconnecting from the communication server.

RTCP

RTP Control Protocol. Protocol that monitors the
QoS of an IPv6
RTP connection and conveys information about the on-going session. See also
RTP.

Real Time Streaming Protocol. Enables the controlled delivery of real-time data, such as audio and video. RTSP is designed to work with established protocols, such as
RTP and
HTTP.

rule

Conditional statements added to the security appliance configuration to define security policy for a particular situation. See also
ACE,
ACL,
NAT.

running configuration

The configuration currently running in RAM on the security appliance. The configuration that determines the operational characteristics of the security appliance.

S

SA

security association. An instance of security policy and keying material applied to a data flow. SAs are established in pairs by
IPSec peers during both phases of
IPSec. SAs specify the encryption algorithms and other security parameters used to create a secure tunnel. Phase 1 SAs (
IKE SAs) establish a secure tunnel for negotiating Phase 2 SAs. Phase 2 SAs (
IPSec SAs) establish the secure tunnel used for sending user data. Both
IKE and
IPSec use SAs, although SAs are independent of one another.
IPSec SAs are unidirectional and they are unique in each security protocol. A set of SAs are needed for a protected data pipe, one per direction per protocol. For example, if you have a pipe that supports
ESP between peers, one
ESP SA is required for each direction. SAs are uniquely identified by destination (
IPSec endpoint) address, security protocol (
AH or
ESP), and Security Parameter Index.
IKE negotiates and establishes SAs on behalf of
IPSec. A user can also establish
IPSec SAs manually. An
IKE SA is used by
IKE only, and unlike the
IPSec SA, it is bidirectional.

SCCP

Skinny Client Control Protocol. A Cisco-proprietary protocol used between Cisco Call Manager and Cisco
VoIP phones.

SCEP

Simple Certificate Enrollment Protocol. A method of requesting and receiving (also known as enrolling) certificates from
CAs.

SDP

Session Definition Protocol. An
IETF protocol for the definition of Multimedia Services. SDP messages can be part of
SGCP and
MGCP messages.

secondary unit

The backup security appliance when two are operating in failover mode.

secret key

A secret key is a key shared only between the sender and receiver. See
key,
public key.

security context

You can partition a single security appliance into multiple virtual firewalls, known as security contexts. Each context is an independent firewall, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple stand-alone firewalls.

Secure Hash Algorithm 1. SHA-1 [NIS94c] is a revision to SHA that was published in 1994. SHA is closely modeled after MD4 and produces a 160-bit digest. Because SHA produces a 160-bit digest, it is more resistant to brute-force attacks than 128-bit hashes (such as
MD5), but it is slower. Secure Hash Algorithm 1 is a joint creation of the National Institute of Standards and Technology and the National Security Agency. This algorithm, like other hash algorithms, is used to generate a hash value, also known as a message digest, that acts like a
CRC used in lower-layer protocols to ensure that message contents are not changed during transmission. SHA-1 is generally considered more secure than
MD5.

SIP

Session Initiation Protocol. Enables call handling sessions, particularly two-party audio conferences, or "calls." SIP works with
SDP for call signaling.
SDP specifies the ports for the media stream. Using SIP, the security appliance can support any SIP
VoIP gateways and
VoIP proxy servers.

site-to-site VPN

A site-to-site
VPN is established between two
IPSec peers that connect remote networks into a single
VPN. In this type of
VPN, neither
IPSec peer is the destination or source of user traffic. Instead, each
IPSec peer provides encryption and authentication services for hosts on the
LANs connected to each
IPSec peer. The hosts on each
LAN send and receive data through the secure tunnel established by the pair of
IPSec peers.

SKEME

A key exchange protocol that defines how to derive authenticated keying material, with rapid key refreshment.

SMR

Stub Multicast Routing. SMR allows the security appliance to function as a "stub router." A stub router is a device that acts as an
IGMP proxy agent.
IGMP is used to dynamically register specific hosts in a multicast group on a particular
LAN with a multicast router. Multicast routers route multicast data transmissions to hosts that are registered to receive specific multimedia or other broadcasts. A stub router forwards
IGMP messages between hosts and
MC routers.

Allows a remote
VPN client simultaneous encrypted access to a private network and clear unencrypted access to the
Internet. If you do not enable split tunneling, all traffic between the
VPN client and the security appliance is sent through an
IPSec tunnel. All traffic originating from the
VPN client is sent to the outside interface through a tunnel, and client access to the
Internet from its remote site is denied.

spoofing

A type of attack designed to foil network security mechanisms such as filters and access lists. A spoofing attack sends a packet that claims to be from an address from which it was not actually sent.

SQL*Net

Structured Query Language Protocol. An Oracle protocol used to communicate between client and server processes.

SSH

Secure Shell. An application running on top of a reliable transport layer, such as TCP/IP, that provides strong authentication and encryption capabilities.

SSL

Secure Sockets Layer. A protocol that resides between the application layer and TCP/IP to provide transparent encryption of data traffic.

Network protocols maintain certain data, called state information, at each end of a network connection between two hosts. State information is necessary to implement the features of a protocol, such as guaranteed packet delivery, data sequencing, flow control, and transaction or session IDs. Some of the protocol state information is sent in each packet while each protocol is being used. For example, a browser connected to a web server uses
HTTP and supporting TCP/IP protocols. Each protocol layer maintains state information in the packets it sends and receives. The security appliance and some other firewalls inspect the state information in each packet to verify that it is current and valid for every protocol it contains. This is called stateful inspection and is designed to create a powerful barrier to certain types of computer security threats.

Static PAT

Static Port Address Translation. Static PAT is a static address that also maps a local port to a global port. See also
Dynamic PAT,
NAT.

With the TCP intercept feature, once the optional embryonic connection limit is reached, and until the embryonic connection count falls below this threshold, every SYN bound for the effected server is intercepted. For each SYN, the security appliance responds on behalf of the server with an empty SYN/ACK segment. The security appliance retains pertinent state information, drops the packet, and waits for the client acknowledgment. If the ACK is received, then a copy of the client SYN segment is sent to the server and the
TCP three-way handshake is performed between the security appliance and the server. If this three-way handshake completes, may the connection resume as normal. If the client does not respond during any part of the connection phase, then the security appliance retransmits the necessary segment using exponential back-offs.

TDP

Tag Distribution Protocol. TDP is used by tag switching devices to distribute, request, and release tag binding information for multiple network layer protocols in a tag switching network. TDP does not replace routing protocols. Instead, it uses information learned from routing protocols to create tag bindings. TDP is also used to open, monitor, and close TDP sessions and to indicate errors that occur during those sessions. TDP operates over a connection-oriented transport layer protocol with guaranteed sequential delivery (such as
TCP). The use of TDP does not preclude the use of other mechanisms to distribute tag binding information, such as piggybacking information on other protocols.

Telnet

A terminal emulation protocol for TCP/IP networks such as the
Internet. Telnet is a common way to control web servers remotely; however, its security vulnerabilities have led to its replacement by
SSH.

TFTP

Trivial File Transfer Protocol. TFTP is a simple protocol used to transfer files. It runs on UDP and is explained in depth in RFC 1350.

A mode in which the security appliance is not a router hop. You can use transparent firewall mode to simplify your network configuration or to make the security appliance invisible to attackers. You can also use transparent firewall mode to allow traffic through that would otherwise be blocked in
routed firewall mode. See also
routed firewall mode.

transport mode

An
IPSec encryption mode that encrypts only the data portion (payload) of each packet, but leaves the header untouched. Transport mode is less secure than tunnel mode.

An
IPSec encryption mode that encrypts both the header and data portion (payload) of each packet. Tunnel mode is more secure than transport mode.

tunnel

A method of transporting data in one protocol by encapsulating it in another protocol. Tunneling is used for reasons of incompatibility, implementation simplification, or security. For example, a tunnel lets a remote
VPN client have encrypted access to a private network.

Turbo ACL

Increases
ACL lookup speeds by compiling them into a set of lookup tables. Packet headers are used to access the tables in a small, fixed number of lookups, independent of the existing number of
ACL entries.

U

UDP

User Datagram Protocol. A connectionless transport layer protocol in the IP protocol stack. UDP is a simple protocol that exchanges datagrams without acknowledgments or guaranteed delivery, which requires other protocols to handle error processing and retransmission. UDP is defined in RFC 768.

Coordinated Universal Time. The time zone at zero degrees longitude, previously called Greenwich Mean Time (GMT) and Zulu time. UTC replaced GMT in 1967 as the world time standard. UTC is based on an atomic time scale rather than an astronomical time scale.

UTRAN

Universal Terrestrial Radio Access Network. Networking protocol used for implementing wireless networks in UMTS. GTP allows multi-protocol packets to be tunneled through a UMTS/GPRS backbone between a
GGSN, an
SGSN and the
UTRAN.

UUIE

User-User Information Element. An element of an
H.225 packet that identifies the users implicated in the message.

V

VLAN

Virtual
LAN. A group of devices on one or more
LANs that are configured (using management software) so that they can communicate as if they were attached to the same physical network cable, when in fact they are located on a number of different
LAN segments. Because VLANs are based on logical instead of physical connections, they are extremely flexible.

VoIP

Voice over IP. VoIP carries normal voice traffic, such as telephone calls and faxes, over an IP-based network. DSP segments the voice signal into frames, which then are coupled in groups of two and stored in voice packets. These voice packets are transported using IP in compliance with ITU-T specification
H.323.

VPN

Virtual Private Network. A network connection between two peers over the public network that is made private by strict authentication of users and the encryption of all data traffic. You can establish VPNs between clients, such as PCs, or a
headend, such as the security appliance.

Vendor-specific attribute. An attribute in a
RADIUS packet that is defined by a vendor rather than by
RADIUS RFCs. The
RADIUS protocol uses IANA-assigned vendor numbers to help identify VSAs. This lets different vendors have VSAs of the same number. The combination of a vendor number and a VSA number makes a VSA unique. For example, the cisco-av-pair VSA is attribute 1 in the set of VSAs related to vendor number 9. Each vendor can define up to 256 VSAs. A
RADIUS packet contains any VSAs attribute 26, named Vendor-specific. VSAs are sometimes referred to as subattributes.

W

WAN

wide-area network. Data communications network that serves users across a broad geographic area and often uses transmission devices provided by common carriers.

Websense

A content filtering solution that manages employee access to the
Internet. Websense uses a policy engine and a
URL database to control user access to websites.

Windows Internet Naming Service. A Windows system that determines the IP address associated with a particular network device, also known as "name resolution." WINS uses a distributed database that is automatically updated with the
NetBIOS names of network devices currently available and the IP address assigned to each one.WINS provides a distributed database for registering and querying dynamic
NetBIOS names to IP address mapping in a routed network environment. It is the best choice for
NetBIOS name resolution in such a routed network because it is designed to solve the problems that occur with name resolution in complex networks.

X

X.509

A widely used standard for defining digital certificates. X.509 is actually an ITU recommendation, which means that it has not yet been officially defined or approved for standardized usage.